I'm still amazed how most companies, even when they've been breached and their reputation has been ruined, fail to fight malicious hacking correctly. Instead, they erect security defenses that have little to do with the threats they're hoping to prevent.
Let me give you a common scenario: I frequently consult with large companies that have been the victim of APT (advanced persistent threat) attacks. Usually those attacks occur because one or more users were silently infected by a vulnerability that had a vendor patch. Unpatched Java is to blame in more than 50 percent of these cases, but common culprits include unpatched Adobe Acrobat, Windows, and so on. The other big risk is from users installing an app they shouldn't, such as a fake antivirus scanner, a fake disk defragger, or a bogus software driver.